Merchants Ask Court for Relief from EMV Liability Shift

In an anti-trust complaint, two small merchants in Florida say they, and many other retailers, are unfairly being forced to pay fraud-related expenses as a result of the EMV liability shift even though they converted to EMV technology by the card brands' deadline.

Some fraud-prevention experts say the lawsuit, which seeks class action status on behalf of all affected merchants, highlights just how difficult it has been for smaller merchants to get their EMV point-of-sale terminals certified by the card brands.

B&R Supermarket Inc., also known as Milam's Market, and Grove Liquors LLC allege that the card brands, including American Express, Visa, MasterCard and Discover, and leading banks, including Bank of America and Chase, "conspired" for their own benefit to shift billions of dollars of fraud-related expenses back onto merchants without giving merchants "meaningful recourse."

The merchants claim that, despite their timely efforts to purchase and install EMV-compliant point-of-sale equipment, as well as train staff about the shift from magnetic-stripe transactions to EMV chip payments, the card brands and issuing banks failed to ensure those terminals were certified EMV-ready by the Oct. 1, 2015, liability shift date. As a result, the merchants claim they have racked up combined total expenses of more than $10,000 to cover fraudulent transactions and fees from Oct. 1 through Feb. 15.

"Milam's Market and Grove Liquors have been assessed final responsibility by MasterCard and Visa for 88 chargebacks totaling $9,196.22 (plus chargeback $5 fees for each item, for an additional cost to Milam's Market and Grove Liquors of $440 - for a total loss of $9,636.22)," the suit claims. "During the same period the prior year, between October 1, 2014, and February 15, 2015 - before the liability shift - Milam's Market and Grove Liquors were assessed final responsibility by MasterCard and Visa for only four chargebacks."

Among other things, the lawsuit is asking the court to order that the card brands and banks pay affected merchants damages to compensate for fraud expenses that have been shifted back. Additionally, the suit asks that the card brands pay merchants for so-called "overcharges," or their perceived overpayment for fraud, because the interchange fees they pay the card networks to process transactions are, in part, set up to cover fraud losses.

Neither merchant responded to Information Security Media Group's request for comment about the case. Discover declined to comment, and the other card brands did not respond.

Temporary EMV Certifications?

If the case is successful, the card brands may be required to provide temporary certifications to merchants that upgraded terminals and are ready to move forward, says attorney Chris Pierson, who serves as chief information security officer at invoicing and payments provider Viewpost.

"If the allegations in the complaint are true and there is a certification logjam caused by no fault of the merchant or a lack of 'call to action,' then there may be a simple, more process-driven solution to issue temporary certifications based on self-attestation in the interim (maybe for a year) as long as the certification review is scheduled," he says.

The case is not challenging the need to shift to EMV or merchants' need to invest in new POS terminals, Pierson notes.

"This case hones in on just one aspect of the payment ecosystem - that being the certification of the POS system that is now in place," he says. "In this case, it appears as though the companies [B&R and Grove Liquors] were waiting diligently in line for this certification to occur, and one would think that matters such as this could be reviewed and decided if the companies have made their best efforts to comply. Alternatively, without a certain date by which liability shifts, merchants might not be incented to move quickly. It seems like both a stick and carrot are necessary to achieve a stronger payment ecosystem in this case."

Small Merchants at Disadvantage

At the heart of the two Florida retailers' claim is that smaller merchants have been placed at a disadvantage. While certifying the EMV-readiness of large merchants such as Target and Walmart has been a priority, certification of merchants with lower volumes of transactions has lagged, the lawsuit claims. "Merchants like Milam's Market and Grove Liquors have no control over the 'certification' process," the suit alleges. "All they can do is request 'certification' and wait for it to occur. And no one can say when that will be."

For months leading up to the Oct. 1 liability shift, retail associations and industry analysts and experts warned that timely certification of POS terminals at smaller merchants would prove challenging.

At an Oct. 21, 2015, House Small Business Committee hearing about the EMV migration's impact on smaller merchants, Jared Scheeler, managing director of The Hub Convenience Stores, testified that small businesses have essentially had their hands tied behind their backs when it comes to reducing card fraud. He argued the card brands are to blame (see Is EMV Bad News to Small Businesses?). That's because Hub, in spite of initiating its EMV migration in 2014, was still not certified EMV compliant by the Oct. 1 liability shift date, he said.

Liz Garner, vice president of the retail association the Merchant Advisory Group, has noted in interviews with ISMG that finding technicians who know each card brand's specifications, which vary widely, has proven challenging, especially for smaller merchants who often get "pushed to the back of the line."

"The merchants point out that their fraud rates and charges have risen more than 20 times since the October 2015 EMV deadlines that shift liability from the banks to merchants for card-present card fraud, if merchants are not accepting chip transactions," Litan writes. "This is unfair, because merchants cannot accept EMV chip card transactions unless their equipment is EMV-certified, and there is a long backlog and queue for this certification process. The plaintiffs did what they could and installed the necessary EMV equipment long ago, but cannot turn the chip readers on. Many card-accepting companies throughout the U.S. are in the same position."

Litan notes that the potential for this crisis was first noted by Gartner and others in September. But the amount of fraud that would be shifted back was underestimated, she says.

"I hope this suit does set a new precedent and forces the card brands to take more ownership of this problem by delaying the liability shift until the certification queue is cleared," Litan adds.

About the Author

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;